Test subject – Loky Lukitus ransomware

The Lukitus Loki variant is part of a new campaign following the “diablo” variant and is distributed via email campaigns containing malicious scripts either as office files or zip archives. One interesting feature of this variant, similar to the CryptoWall functionality, is that of scrambling files to make recovery even more difficult. In addition, Lukitus inherits very strong encryption functionality from the Locky ransomware family.

Loky “Lukitus” ransomware test facts

The email attachment runs a script that downloads the malicious payload. In our test, the payload is the executable called “Locky”. Before downloading the payload, the malicious script reads system information and exchanges data with its C&C server. Upon execution, the ransomware slowly starts to encrypt files and appends the “lukitus” extension, also attacking files accessible via the network. This variant also features detection-avoiding techniques characteristic to the Locky ransomware, such as environmental awareness and memory obfuscation of the malicious code.

“Loky Lukitus” ransomware test results

TEMASOFT Ranstop detects this Locky variant soon after it starts encrypting files. It blocks the encrypting process and quarantines the associated executable. An alert is triggered as the file recovery process starts. All files attacked by the Lukitus variant of Locky are restored without human intervention. At the time of our lab test, there is no decryption tool available for this Locky variant.

TEMASOFT Ranstop is an anti-ransomware software that detects present and future ransomware, based on file access pattern analysis with a high degree of accuracy. At the same time, it protects user files so that they can be restored in case of malware attacks or accidental loss.

For more information, follow us on social media and subscribe to our newsletter.